From JBPAPP-1983 (https://jira.jboss.org/jira/browse/JBPAPP-1983): The jmx console does not encode quote characters if they trailing after the colon (key property) , which allows cross-site-scripting attacks.
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 4 Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 5 Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html
This issue has been addressed in following products: JBEAP 4.2.0 for RHEL 5 Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html